insurance

Malvertising …… the hidden threat – last week a number of major news websites saw their advertisment hijacked by a malicious angler campaign that attempted to install ransomware on users computers. The attack, which was initially targeted at US users, hit websites including the BBC, AOL, New York Times and the NFL ……the combined volume of traffic for these websites totalled billions of visitors.

It is understood that the malware was delivered through multiple ad networks, and used a number of vulnerabilities, which included a recently-patched flaw in Microsoft’s former Flash competitor Silverlight.

The Daily Mail , Skype and and the Premier League Fantasy website have all been targeted within the last month with malvertising campaigns.

Malvertising uses advertising networks to spread malicious flash objects and other pieces of malicious code to other websites. Hackers will then upload these malicious flash objects and other pieces of malicious code to ad networks, paying the network to distribute them like as if they are real advertisements.

For example you could visit a newspaper’s website and an advertising script on the website would download an ad from the ad network. The malicious advertisement would then in turn try to compromise the web browser.

Malvertising takes advantage of flaws in software that the user is utilizing in order to infect the user on a legitimate websites, this reduces the need to fool the user to visiting a malicious website.

The most popular times for these attacks are on a Friday when there is less monitoring being carried out for suspicious activities and when there is heavy web surfing during the weekends.

There are a number of methods used for injecting malicious advertisements or programs into webpages such as :-

Pop-up ads

Drive by downloads

Web widgets

Malicious banners on websites

Third party advertisments on websites

Third party forums such as forums or help desks

There are a number of ways of protecting websites from malvertising attacks such as keeping plug-ins and web browsers updated. Risk management also has an important role to play in particularly management and surveillance of the supply chain.

A cyber insurance policy can provide coverage for an attack of this nature through the disruption it may cause to a business and also the vendor services provided via monitoring and forensic investigation.

Cyber business interruption is considered by 49% of businesses to be their biggest concern in the event of a cyber breach according to the Institute of Directors recent policy report “Cyber Security; underpinning the digital economy”

The report, sponsored by Barclays carried out a survey of 1000 businesses which showed that one in eight members suffered damage as a result of a cyber business interruption attack. Of this 11% suffered actual financial loss which demonstrates that cyber crime can impact on the balance sheet of businesses in a significant fashion. Interestingly only 28% of these incidents were reported to the police.

Some other highlights of the Institute of Directors Policy Voice Survey were as follows:-

57% had a formal cyber/information security strategy in place

49% said they provided cyber awareness training for employees

43% didn’t know where their data was physically stored

72% experienced social engineering scams

20% hold cyber insurance (with 21% unsure if they did have this)

21% are considering the purchase of cyber insurance

The survey demonstrates that cyber security is taking a much higher profile within businesses and they are now actively improving their cyber security but there is room for considerable improvement. There were many key moments in 2015 with the high profile breaches of TalkTalk and Ashley Madison which has made businesses look up and think ” could this happen to us”? The answer is of course “yes” and in fact could be happening right now with an average breach taking six months to discover.

Richard Benham, Professor of Cyber Security Management , the author of the report has identified four key trends that are likely to become increasingly important in the coming years:-

Cyber in the boardroom – cyber risk is now at boardroom level and cyber risk strategies are likely to be formulate here.

Cyber education – the UK government will play an important role through the promotion of Cyber Essentials and the instigation of courses such as The National Awareness Course.

The Cloud – this will rise in prominence but businesses most not ignore the management of their data.

Cyber insurance – this form of insurance has developed in recent years to cover both first and third party exposures of a businesses , whilst still an evolving product it is being considered by more businesses and this is likely to increase.

The Institute commented “Our report shows that cyber must stop being treated as the domain of the IT department and should be a boardroom priority. Businesses need to develop a cyber security policy, educate their staff, review supplier contracts and think about cyber insurance.”

The report concludes highlighting that cyber security is an international threat, the suggested key is to have in place a credible plan that can assess the large spectrum of threats and how these can best be managed by a business.

UK businesses can achieve this through robust cyber security management , this should be complemented with cyber insurance on the basis that coverage is appropriate for the business and that it is not recognized to be the “cure for all evils” in the cyber threat landscape that exists today.

A cyber insurance policy can provide coverage for cyber business interruption by way of standard coverage or a bespoke policy endorsement therefore helping a business to manage this cyber peril.

In the US last week a hacker broke into the University of California’s computer system which contained 80,000 students. This apparently occurred in December whilst the university was in the process of patching a security flaw in their financial management system.

This followed a similar breach earlier this year at the University of Florida where private information of current and former employees were accessed going back to 1980. A lawsuit has been issued which is seeking a class action status. There was also criticism on how the breach was managed.

On this side of the Atlantic in December university students were unable to submit work as a result of the academic computer network called “Janet” coming up against a distributed denial of service (DDOS) attack causing reduced connectivity and disruption. The University of Manchester was one of the universities impacted by the DDOS attack.

Earlier, last year the University of London Computer Centre (ULCC) was hit by a cyber attack which again left millions of students unable to access the organisation’s IT services. The centre provides services to over 300 UK institutions and supports over two million higher education and further education students on its open-source learning platform Moodle.

The education sector accounted for nearly 10 per cent of all breaches in the past year, according to cyber security company Symantec.

So what are some of the cyber security risks that exists in the education sector?

Personal Data

Universities and colleges contain an abundance of personal data which makes them attractive to hackers, such as credit card details, medical information of current and former students and employees. This also becomes complicate to manage as students come from many different parts of the world bringing with them wide ranging data protection regulations.

Multiple Entry Points

The education sector traditionally provides multiple entry points with a huge spectrum of users having access to its networks. The access is also available 24/7 365 days a year via many devices that may not be secure such as laptops logging in from remote wi-fi locations.

Social Media

Within the education framework social media features prominently and in the absence of social media policies with specific standards in place this can leave a university vulnerable in terms of the inadvertent sharing of information that may not be meant for the public domain.

Separate Networks

A college or polytechnic may consist of a number of separate networks which may not contain a high level cyber security and therefore present a number of cyber security risks.

Intellectual Property

Certain establishments contain highly sensitive research information in the fields of science, health , defense and aerospace. This could make them a target for hackers and terrorist organisations.

Cyber Security Research

Cyber security research itself could also be a target with the Global Centre for Cyber Security Capacity building in Oxford University’s Martin School. A number of universities have been awarded Academic Centres for Excellence in Cyber Security Research, such as the Bristol and Kent Universities which means that they will work more closely with the Government Communications Headquarters (GCHQ).

Cyber liability insurance can play a very important role in supplying an extra layer of comfort in the event of a cyber attack to education establishments, providing coverage for a significant number of the potential cyber security risks that exist in this sector.

Should we share cyber security information ?

Is this a good idea… there are very good reasons why we should share cyber security information and there are also reasons that perhaps it may not be such a good idea.

The current landscape seems to be moving towards the sharing of this confidential and sensitive information with regulation being imposed on both sides of the Atlantic in recent months to promote and encourage the sharing of cyber security information.

At the end of last year the EEC announced The Network and Information Security Directive(NIS) which is a security and reporting directive for companies in critical business sectors , namely transport , energy , health and finance. This is also applicable to the businesses such as Google and Amazon.

This Directive includes a requirement to report cyber security breaches which is aimed to encourage greater visibility of cyber crime and data breaches within companies and for companies to address their own cyber security.

It is anticipated that this will be ratified in the Spring, with implementation anticipated within the next two years.

In the US , also at the end of last year, the Cybersecurity Information Sharing Act (CISA) was passed by the Senate which allows companies to share cybersecurity threat data with the Department of Homeland Security (DHS) and other federal agencies. A number of bodies that already exist in the US which include the sharing of cybersecurity information . These include Enhanced Cybersecurity Services (ECS) which is a voluntary information sharing program and whose aim is to help better protect busineses customers and the National Cybersecurity and Communications Integration Centre (NCCIC) which shares information with public and private sector partners.

In the UK the Cyber-security Information Sharing Partnership (CiSP) exists which is part of CERT-UK . This is a joint industry government initiative set up to share cyber threat and vulnerability information in order to increase overall awareness of cyber threats and help mitigate the impact this may have on UK businesses.

The British Insurance Brokers Association ( BIBA) have recently endorsed (CiSP) to encourage insurance brokers to join CiSP to share the knowledge of over 4000 cyber-security professionals from over 1500 organisations. The government is also very keen that the insurance industry works closer with cyber security professionals and it is likely that we will see evidence of this in the future via associations and collaborations.

Let’s now review the positives and negatives of sharing cyber security information :-

Positives

It provides information to business on the latest forms of malware, spear phishing campaigns, and known malicious domains

Improvement in technology to combat the latest forms of security threats

Information derived from claims that insurers can assess / rate and improve the coverage under cyber insurance policies.

Assessment of insurers aggregation

Information to help insurers analyse cyber catastrophe models

Provision of knowledge to help anticipate future terrorists lead cyber attacks

Negatives

Possible release of confidential information of cyber attacks and data breaches to third parties

The information provided may impact on a company to carry out businesses with existing customers being concerned with poor cyber security measures.

Collateral damage to reputation of a business and impact on stock market share price

Hackers gain access to extremely sensitive data bases

Perceived by some that “big brother” is spying and will encourage surveillance of businesses

Inadvertent sharing of personally identifiable information

The cyber security industry also has an important role to play as they are arguably possess the greatest amount of cyber security data, this is no doubt considered valuable intellectual property and there would be a reluctance to readily share this to a wider audience without distribution to secure destinations.

The sharing of cyber security information is more advanced in the US than the EEC / Rest of the World and is reflective of two very differing cyber landscapes , with the US being more mature in terms of number and size of cyber security breaches and the existing litigation that helps drives notification.

The sharing of cybersecurity information definitely has a role to play in the development of the improvement of cyber security and the defence of cyber attacks that can threaten a business…… how it is shared is perhaps the current dilemma facing governments and regulators.

Cyber Insurance in its current format can be likened to a “moody teenager” – it is going through some growing pains , searching for an identity and not yet attractive to the opposite sex ! In insurance terms , cyber insurance is still evolving, the policy coverage is still developing and it is still not recognized as an essential insurance policy that a business should purchase. So why is this…. ?

The cyber insurance market has seen it’s profile increased significantly over the last few months. A number of factors have contributed to this such as the TalkTalk breach, together with a number of other high profile data breaches and the increase in social engineering cyber crime. The Information Security Breaches carried out by pwc last year indicated that security breaches were on the increase. 90% ( 80% 2014) of large organisations and 74% ( 60% 2014) of small businesses suffered a security breach.

This “moody teenager ” however does not seem to be ready for the big wide world and is being held back by a number of factors :-

1.Knowledge

Businesses do still not possess the knowledge to have the confidence to purchase this form of policy due to a lack of education by the insurance industry and associated professions. Some businesses are under the impression that they already have adequate cyber coverage within their professional indemnity or property insurance policies.This is also not helped by the lack of consistence terminology and of coverage within the policy wordings provided by insurers and makes assessment of the purchase difficult , even with the guidance of an insurance broker.

2. Policy Coverage

The cyber insurance policy in the UK is still very much at an embryonic stage , the policy coverage offered is still developing and not yet fully responding to certain areas such as reputational damage , property and bodily injury cyber related incidents. There is however the availability of “gap policies” provided by certain insurers , but no “one stop” solution.

3. Cost Prohibitive

The cost of cyber insurance in many quarters is still considered expensive to a business and if a business does not consider it “fit for purpose ” then they will be reluctant to take out this form of insurance. Insurers are however attempting to reduce premiums to attract policyholders but this tends to be where perceived exposures are much lower.

4. IT Reluctance

The IT team within a business is a stakeholder in the purchase of cyber insurance and it can be seen on many occasions that they are a reluctant purchaser of this form of insurance, as they feel that the business has the required technology and security to combat a cyber attack. This is borne out by the Wallix.com survey carried out last year with IT professionals whereby 47% of the profession thought that there was ‘insufficient need’ to invest in cyber insurance.

5. Data & Privacy Laws

There is no compulsory data notification laws in the UK and therefore businesses do not feel that there is a need to purchase cyber insurance . This is a common misconception as cyber is a modular policy and offers a number of other areas of coverage such as business interruption , cyber extortion and website damage.

6.Maturity of Market

The UK cyber insurance market is behind the US equivalent by a number of years which is due to the fact that compulsory data notification laws has been in existence in many states for some time and also the US has a much more mature claims experience in a highly litigious climate. The UK cyber insurance will therefore always be at a different stage of development that its US counterpart, this could however in the long term could be to their advantage with advanced analysis and technological advancements available to insurers to develop this specialized insurance product.

Increased collaboration between insurers, insurance brokers and the cyber security sector is a way forward and there are definitive signs that this is happening which will improve the current dynamics of cyber insurance , after all cyber insurance is only part of risk management armory that a business should have in place to combat cyber security threats.

Is the healthcare sector the next target in the UK for hackers to bring about a major data breach?

In the US over the past year there have been a number of high profile and costly data breaches, the largest of which was suffered by the health insurer , Anthem Inc where 80 million personal records were stolen, in addition to this there were four other known multi-million record data breaches in this sector. In the UK the number of data breaches so far have been small in comparison and have been limited to loss of laptops and USB’s causing minor data breaches.

According to the 2015 Global Ponemon Institute Study on data breaches there are signs of a significant increase in cyber attacks in the healthcare industry . The study identified that 91% of healthcare organizations have been subject to one data breach. Cyber attacks in this sector were also up by 125% from 2010 to 2015.

So what types of data are stored by these bodies that would make them attractive to a hacker ?

Patient Information

Medical records

Test Records

Appointment information

Medical insurance details

Credit card and bank card details

Employee Information

National Insurance records

Salary details

Bank details

e-mail addresses

telephone numbers

In addition to this these bodies are likely to be dependent on third parties who may provide or store some of this data.

Where would a possible threat come from that might cause a data breach ?

Insider Threats

Employee negligence where as a result of an error causes a security failure or they carelessly leave a lap top on a train

Employee ignorance where inadvertent disposal of personal data occurs or perhaps a lack of training and awareness

A malicious employee who may be unhappy and wishes to cause disruption

Outsider Threats

Hacker attack which can take the form of many methods such as by the injection of malware into a computer system or the bringing a phishing attack.

Theft being caused as a result of social engineering tool to disguise e-mails that may lead to an extortion threat in an effort to release data.

Third party vendors who may have been breached themselves and caused a subsequent data breach to the primary entity.

Why are healthcare records being targeted by hackers?

Healthcare records are worth 5 times more than the value of credit cards

Credit cards can be cancelled

The value of healthcare data can be utilized for a wider variety of purposes

What are the end use for healthcare records?

Personal Identity Theft

Financial Identity Theft

Various forms of insurance fraud

The falsifying of prescriptions

The Healthcare sector in general has a number of challenges including the management of on-going conversion from paper records to digital files and maintaining of computer security that constantly require updating to keep pace with the technology that hackers now possess.

Aside the threat of a data breach is the threat that more medical devices are connected to the network and the ensuing connection to IP networks which exposes devices to more cyber attacks. The “Internet of Things” is also a real threat to this sector and more so to patients where there is an ability to hack medical devices like insulin pumps or pacemakers.

Cyber liability insurance can play an important role to help mitigate a serious data breach and should be a important consideration by organizations in this industry. This sector is perceived to be in a high risk category by the insurance market and it is therefore an area that cyber security consultants can add considerable value here to help insurers assess the relative exposures and offer commensurate premium and terms.